Fanatics EcoSystem
  • Fanatics ID
  • Loyalty
  • Start Here
  • Setup
  • Single Sign On
    • Authorization
    • Code Exchange
    • Refresh Token
    • Logout
    • ID Token
    • Environments
    • Scopes
    • Account Management
    • OpenID Config
  • Server to Server
    • Authentication
    • Environments
    • Scopes
  • Point of Sale
    • Assertion Usage
Powered by GitBook
On this page
  1. Single Sign On

Code Exchange

PreviousAuthorizationNextRefresh Token

Last updated 1 month ago

Once you have a code from either a registration or login you can exchange it for access & refresh tokens. This activity should be performed server to server as it includes your client secret which must be treated as a password and you should never expose it to clients. The access & refresh token should be stored securely server side and not exposed to the end user since they provide direct access to our APIs.

Note - this endpoint conforms to . Please be aware that the body is sent form encoded with the content type application/x-www-form-urlencoded.

Request

URL

/api/oauth2/token

Data

For the token exchange you will send the following fields.

Name
Value

grant_type

authorization_code

code

The code value from the redirect.

redirect_uri

The same redirect_uri value you sent in to the authorization step.

client_id

The same client_id value you sent in to the authorization step.

client_secret

This is your client secret that was generated when the client was configured.

Response

Name
Description

access_token

This token can be used to call any of our APIs that you have the right permissions and scopes to call.

expires_in

The number of seconds the access token is good for.

id_token

refresh_token

token_type

Bearer

Documentation

A JWT that contains information about the user. Please see for more information.

A refresh token that can be used for generating a new access token after the current one expires. See for more information.

ID Token
Refresh Token
OpenID Token Endpoint
  • Request
  • URL
  • Data
  • Response
  • Documentation
  • POSTOIDC Token

OIDC Token

post
Body
client_idstringRequired

Your OAuth2 client id

client_secretstringRequired

Your OAuth2 client secret

codestringOptional

The OAuth code used for retrieving a bearer token

grant_typestringRequired

Grant type

partner_session_idstringOptional

Any session ids you want us to persist on the session

redirect_uristringOptional

The OAuth2 redirect URI

refresh_tokenstringOptional

The OAuth refresh token.

Responses
post
POST /api/oauth2/token HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 150

"client_id='text'&client_secret='text'&code='text'&grant_type='text'&partner_session_id='text'&redirect_uri='text'&refresh_token='text'"
{
  "access_token": "fiatz2H1kXuV59EdN_jeCA32qHuBOz...",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJFZERTQSIsIdsdjfbgksu...",
  "refresh_token": "firt6tsF90LTf8LYCYPtdh8q4qr3c...",
  "token_type": "Bearer"
}

Access tokens must be treated as extremely sensitive. They should be stored securely on your server and should never be sent anywhere except our services. Do not send them back to end user clients or return them in a response from your servers.