Requests should use the host All unauthenticated requests will be redirected to https. The request should meet the following requirements:

If an Accept: header is given it must have the value application/json. Other media types may be rejected.
The domain must be exactly
Just about any OAuth-signed URL can be used for SSO if it's opened in a browser. For API requests, you send a Content-Type: application/json header and we return JSON. If you use that same link in a browser, our app will create a user session and load the corresponding page.

For SSO, we generally advise creating an OAuth-signed link to and making that the target of a 'Manage Backups' or 'Open Sectigo Web Security Platform Dashboard'-type link or button. The /websites path is the default location when customers log in with a username and password and we show an overview of all of their backups.