> ## Documentation Index > Fetch the complete documentation index at: https://docs-staging-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Back-Channel Login > Send an authentication request directly to a user’s enrolled device using the CIBA back-channel login flow. ## Endpoint `POST /bc-authorize` The Back-Channel Login endpoint enables applications to send an authentication request to a user’s phone, or the authentication device, provided they have an app installed and are enrolled for [push notifications using the Guardian SDK](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications). Use the Back-Channel Login endpoint to authenticate users for the following use cases: * Users are not in front of the application that requires authentication, such as when they're telephoning a call center. * The consumption device, or the device that helps the user consume a service, is insecure for sensitive operations (e.g., web browser for financial transactions). * The consumption device has limited interactive capability (e.g., e-bicycles or e-scooters). ### Response Body If the request is successful, you should receive a response like the following: ```http theme={null} { "auth_req_id": "eyJh...", "expires_in": 300, "interval": 5 } ``` The `auth_req_id` value should be kept as it is used later in the flow to identify the authentication request. The `expires_in` value tells you how many seconds you have until the authentication request expires. The `interval` value tells you how many seconds you must wait between poll requests. The request should be approved or rejected on the user’s authentication device using the Guardian SDK. ### Remarks * The `login_hint` value follows the `iss_sub` format. For example: ```http theme={null} { "format": "iss_sub", "iss": "https://[TENANT_DOMAIN]/", "sub": "auth0|[USER ID]" } ``` * Authentication can use Client Secret (via HTTP Basic Auth or Post), Private Key JWT, or mTLS. Please refer to the detailed examples above. ## Body Parameters The `client_id` of your application. A human-readable string for the user to ensure they approve the correct request. A JSON object containing user details for authentication in the `iss_sub` format. Space-separated list of OIDC and custom API scopes, including `openid` at a minimum. Optional unique identifier of the target API for access tokens. The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`. Custom expiry time for the request in seconds (1-300). Defaults to 300 seconds. An optional JSON array of objects that describe the permissions to be authorized. Each object’s `type` value should be previously registered on the resource server using the Resource Server’s `authorization_details` parameter. To learn more, read the [Update a resource server](https://auth0.com/docs/api/management/v2/resource-servers/patch-resource-servers-by-id#body-parameters) Management API documentation. ## Response Messages | Status | Description | | ------ | ---------------------------------------------- | | 200 | Authentication request successfully initiated. | | 400 | Bad Request - Invalid parameters | | 500 | Internal Server Error |