Token
The token endpoint exchanges authorization codes and refresh tokens for access tokens. It supports two grant types.
Authorization Code Grant
POST/oauth2/tokenNo Auth
Exchanges an authorization code for access, ID, and refresh tokens. The code is single-use and expires after 30 seconds.
| Parameter | Type | Description |
|---|---|---|
| grant_type* body | string | "authorization_code" |
| code* body | string | The authorization code from /oauth2/authorize |
| redirect_uri* body | string | Must match the original authorization request |
| client_id* body | string | The OAuth client ID |
| client_secret* body | string | The OAuth client secret |
| code_verifier* body | string | PKCE code verifier that matches the code_challenge |
Request
grant_type=authorization_code&code=abc123&redirect_uri=https://app.example.com/callback&client_id=my-client&client_secret=secret&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Response
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2g...",
"id_token": "eyJhbGciOiJSUzI1NiIs...",
"scope": "openid profile email"
}Refresh Token Grant
POST/oauth2/tokenNo Auth
Exchanges a refresh token for new access and refresh tokens. The old refresh token is invalidated (rotation enforced).
| Parameter | Type | Description |
|---|---|---|
| grant_type* body | string | "refresh_token" |
| refresh_token* body | string | A valid refresh token |
| client_id* body | string | The OAuth client ID |
| client_secret* body | string | The OAuth client secret |
Request
grant_type=refresh_token&refresh_token=dGhpcyBpcyBh...&client_id=my-client&client_secret=secret
Response
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "bmV3IHJlZnJlc2ggdG9rZW4...",
"id_token": "eyJhbGciOiJSUzI1NiIs...",
"scope": "openid profile email"
}Token Lifetimes
| Token | Lifetime |
|---|---|
| Access token | 1 hour |
| ID token | 1 hour |
| Refresh token | 7 days |
| Session token | 1 hour |