Exchange authorization code or refresh token for tokens
RFC 6749-compliant token endpoint. Pass client_id in the request body (Section 2.3.1). Use grant_type ‘authorization_code’ to exchange an auth code for tokens, or ‘refresh_token’ to refresh an access token. Accepts both application/x-www-form-urlencoded (standard per RFC 6749 Section 4.1.3) and application/json content types.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
Token request body. client_id is required. Accepts application/x-www-form-urlencoded (RFC 6749 standard) or application/json. Use grant_type 'authorization_code' with client_secret (confidential) or code_verifier (public/PKCE), or grant_type 'refresh_token' with client_secret (confidential) or just the refresh_token (public).
- Option 1
- Option 2
- Option 3
- Option 4
The client identifier
"my-client-id"
The grant type — must be 'authorization_code'
authorization_code "authorization_code"
The authorization code received from the authorize endpoint
"abc123"
The redirect URI used in the authorization request
"https://example.com/callback"
The client secret for confidential clients
Response
The access token
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
The token type
"bearer"
The refresh token
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
The number of seconds until the access token expires
1800