Optional Session Context String

A Session Context String may be returned from the authentication process. Office for iOS will pass this string, in an HTTP header, in calls to the token endpoint URL (RFC 6749#section-3.2) and authenticated calls to the bootstrapper (GetNewAccessToken, Shortcut operations).

The Session Context String is optional, and for the use of the storage provider. A possible scenario would be to include a hint about a “tenant” so endpoints can know where they need to fetch and/or validate tokens.

Returning a Session Context string is done via an sc= URL parameter appended to the value of the Location header from the 302 Found response at the end of the sign-in flow.


The contents of the sc= parameter must be URL encoded.

For example, to return the following information:

  • Redirection URI is https://localhost

  • Authorization code (RFC 6749#section-4.1.2) is “abcdefg”

  • Session Context String is “hello:World”

The Location header in the 302 Found response would be:

Location: https://localhost/?code=abcdefg&sc=hello%3AWorld

If present, the session context string will be included as an HTTP header when calls are made to the token exchange endpoint, and OAuth2 authenticated calls to the bootstrapper (GetNewAccessToken, Shortcut operations) as follows:

X-WOPI-SessionContext: hello:World