OAuth2 Token
Exchanges authorization codes for access and refresh tokens, or uses refresh tokens to obtain new access tokens. This endpoint supports multiple OAuth2 grant types including authorization_code and refresh_token flows.
Use Case: Obtain API access tokens after user authorization or refresh expired tokens to maintain continuous API access for applications.
Body
- Authorization Code
- PKCE
- Refresh Token
Use this when your app has a backend server and can safely store a client secret. Exchange a one-time authorization code for tokens by sending client_secret.
OAuth2 client identifier.
OAuth2 client secret for confidential server-side apps.
Authorization code returned from the authorize or confirm flow.
Grant type for code exchange. The backend accepts authorization_code and normalizes it internally.
code, authorization_code "authorization_code"
Redirect URI used earlier in the login flow. Must match exactly.
"https://yourapp.com/callback"
Response
Tokens issued successfully
OAuth2 token response. Fields may vary slightly by flow and server behavior, so response properties are documented without a required list.
OAuth2 access token used in the Authorization header.
Refresh token used to obtain a new access token later.
Token type returned by the server, typically Bearer.
"Bearer"
Access token lifetime in seconds.
3600
Refresh token lifetime in seconds.
2592000
Space-separated scopes granted for this token.
"read write"