Code Exchange
Access tokens must be treated as extremely sensitive. They should be stored securely on your server and should never be sent anywhere except our services. Do not send them back to end user clients or return them in a response from your servers.
Once you have a code from either a registration or login you can exchange it for access & refresh tokens. This activity should be performed server to server as it includes your client secret which must be treated as a password and you should never expose it to clients. The access & refresh token should be stored securely server side and not exposed to the end user since they provide direct access to our APIs.
Note - this endpoint conforms to OpenID Token Endpoint. Please be aware that the body is sent form encoded with the content type application/x-www-form-urlencoded.
Request
URL
/api/oauth2/token
Data
For the token exchange you will send the following fields.
grant_type
authorization_code
code
The code value from the redirect.
redirect_uri
The same redirect_uri value you sent in to the authorization step.
client_id
The same client_id value you sent in to the authorization step.
client_secret
This is your client secret that was generated when the client was configured.
Response
access_token
This token can be used to call any of our APIs that you have the right permissions and scopes to call.
expires_in
The number of seconds the access token is good for.
id_token
A JWT that contains information about the user. Please see ID Token for more information.
refresh_token
A refresh token that can be used for generating a new access token after the current one expires. See Refresh Token for more information.
token_type
Bearer
Documentation
Your OAuth2 client id
Your OAuth2 client secret
The OAuth code used for retrieving a bearer token
Grant type
Any session ids you want us to persist on the session
The OAuth2 redirect URI
The OAuth refresh token.
tokens
Bad request
Forbidden
Not Found
Rate Limited
Internal error
Last updated