Create Tokens

🛡️

OIDC/OAuth 2 Compliant

This endpoint is compliant with the OIDC Token Endpoint (Authorization Code Flow) specification and supports the authorization_code and refresh_token grant types. In addition, this endpoint also support authenticating machines using the OAuth 2 client_credentials grant type.

🔐

Client Authentication

Confidential clients (i.e., BACKEND_SERVER and MACHINE_TO_MACHINE client types) must supply their client ID and secret in the Authorization header using the Basic Authentication scheme. For example, Authorization: Basic base64Encode(<client_id>:<client_secret>). Public clients that don't have a client secret can omit the Authorization header but must provide their client ID in the request body.

Creates tokens for the specified grant type. The fields that are required to be sent in the request differ depending on the provided grant type.

Supported Grant Types:

• authorization_code: The client uses the authorization code sent in the callback request, to retrieve tokens on behalf of a user.
• client_credentials: The client can request an access token for itself using only its client credentials.
• refresh_token: If the offline_access scope was specified in the authorization request, refresh tokens are issued to the client in the token response and can be used to obtain a new access token when the current access token becomes invalid or expires.