Exchange tokens

POST

/oauth/token

Supports authorization_code and refresh_token grants. client_id is required for authorization_code. In refresh_token, client_id is optional and, if provided, must match the client bound to the refresh token.

Request Body

application/x-www-form-urlencoded

object

Valid values"authorization_code""refresh_token"

Required for authorization_code. Optional for refresh_token; if provided, it must match the client bound to the refresh token.

Format"uuid"

Required when grant_type=authorization_code.

Required when grant_type=authorization_code. Must exactly match the application's registered redirect URI.

Format"uri"

Required when grant_type=authorization_code.

Required when grant_type=refresh_token.

Responses

OAuth tokens

Content-Type

application/json

{

  

"access_token": "string",

  

"token_type": "Bearer",

  

"refresh_token": "string",

  

"expires_in": 0

}

POST

/oauth/token

Playground

Body

grant_type*

client_id

code

redirect_uri

code_verifier

refresh_token

Samples