Requests should use the host All unauthenticated requests will be redirected to https. The request should meet the following requirements:

  1. If an Accept: header is given it must have the value application/json. Other media types may be rejected.
  2. The domain must be exactly

Just about any OAuth-signed URL can be used for SSO if it's opened in a browser. For API requests, you send a 'Content-Type: application/json' header and we return JSON. If you use that same link in a browser, our app will create a user session and load the corresponding page.

For SSO, we generally advise creating an OAuth-signed link to "" and making that the target of a 'Manage Backups' or 'Open CodeGuard Dashboard'-type link or button. The /websites path is the default location when customers log in with a username and password and we show an overview of all of their backups.