Exchange authorization code or refresh token for tokens

curl --request POST \ --url https://api.cal.com/v2/auth/oauth2/token \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data ' { "client_id": "my-client-id", "grant_type": "authorization_code", "code": "abc123", "redirect_uri": "https://example.com/callback", "client_secret": "<string>" } '

{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "bearer", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "expires_in": 1800, "scope": "BOOKING_READ BOOKING_WRITE" }

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

Token request body. client_id is required. Accepts application/x-www-form-urlencoded (RFC 6749 standard) or application/json. Use grant_type 'authorization_code' with client_secret (confidential) or code_verifier (public/PKCE), or grant_type 'refresh_token' with client_secret (confidential) or just the refresh_token (public).

Option 1
Option 2
Option 3
Option 4

client_id

string

required

The client identifier

Example:

"my-client-id"

grant_type

enum<string>

required

The grant type — must be 'authorization_code'

Available options:

authorization_code

Example:

"authorization_code"

code

string

required

The authorization code received from the authorize endpoint

Example:

"abc123"

redirect_uri

string

required

The redirect URI used in the authorization request

Example:

"https://example.com/callback"

client_secret

string

required

The client secret for confidential clients

Response

200 - application/json

access_token

string

required

The access token

Example:

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

token_type

string

required

The token type

Example:

"bearer"

refresh_token

string

required

The refresh token

Example:

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

expires_in

number

required

The number of seconds until the access token expires

Example:

1800

scope

string

required

The granted scopes (space-delimited per RFC 6749)

Example:

"BOOKING_READ BOOKING_WRITE"

Getting Started

Orgs / Attributes

Orgs / Attributes / Options

Orgs / Bookings

Orgs / Delegation Credentials

Orgs / Memberships

Orgs / Roles

Orgs / Roles / Permissions

Orgs / Routing forms

Orgs / Schedules

Orgs / Teams

Orgs / Teams / Bookings

Orgs / Teams / Conferencing

Orgs / Teams / Event Types

Orgs / Teams / Event Types / Private Links

Orgs / Teams / Invite

Orgs / Teams / Memberships

Orgs / Teams / Roles

Orgs / Teams / Roles / Permissions

Orgs / Teams / Routing forms

Orgs / Teams / Routing forms / Responses

Orgs / Teams / Schedules

Orgs / Teams / Stripe

Orgs / Teams / Users / Schedules

Orgs / Teams / Workflows

Orgs / Users

Orgs / Users / Bookings

Orgs / Users / OOO

Orgs / Users / Schedules

Orgs / Webhooks

Api Keys

Bookings

Bookings / Attendees

Bookings / Guests

Cal Unified Calendars

Calendars

Conferencing

Deprecated: Platform / Managed Users

Deprecated: Platform / Webhooks

Deprecated: Platform OAuth Clients

Destination Calendars

Event Types

Event Types / Webhooks

Event Types Private Links

Managed Orgs

Me

OAuth2

Organization Team Verified Resources

Out of Office

Routing forms

Schedules

Selected Calendars

Slots

Stripe

Teams

Teams / Bookings

Teams / Event Types

Teams / Event Types / Webhooks

Teams / Invite

Teams / Memberships

Teams / Schedules

Teams / Users / OOO

Teams Verified Resources

Verified Resources

Webhooks

Authorizations

Body

Response