Create Tokens

Recent Requests
Log in to see full request history
TimeStatusUser Agent
Retrieving recent requests…
LoadingLoading…

🛡️

OIDC/OAuth 2 Compliant

This endpoint is compliant with the OIDC Token Endpoint (Authorization Code Flow) specification and supports the authorization_code and refresh_token grant types. In addition, this endpoint also support authenticating machines using the OAuth 2 client_credentials grant type.

🔐

Client Authentication

Confidential clients (i.e., BACKEND_SERVER and MACHINE_TO_MACHINE client types) must supply their client ID and secret in the Authorization header using the Basic Authentication scheme. For example, Authorization: Basic base64Encode(<client_id>:<client_secret>). Public clients that don't have a client secret can omit the Authorization header but must provide their client ID in the request body.

Creates tokens for the specified grant type. The fields required in the request differ depending on the provided grant type.

Supported Grant Types:

  • authorization_code: The client uses the authorization code sent in the callback request to retrieve tokens on behalf of a user.
  • client_credentials: The client can request an access token for itself using only its client credentials.
  • refresh_token: If the offline_access scope was specified in the authorization request, refresh tokens are issued to the client in the token response, and can be used to obtain a new access token when the current access token becomes invalid or expires.
Form Data

Token Request

string
enum
required
length ≥ 1

The grant type the client is using to request a token. The grant type determines the parameters required by the token request.

Allowed:
string
length between 1 and 26

[Conditionally Required] The unique identifier of the client.

Required Conditions:

  • This value is only required for non-confidential clients that are not able to authenticate using Basic Authentication with their client ID and secret.
string
length ≥ 1

Allows for specifying the scopes that get associated with the access token. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional requested scope.

If this value is not provided, then the scopes associated with the issued access token will default to the scopes provided in the authorization request.

If this value is provided, the scopes listed must abide by the following requirements:

  • The provided scopes must be a subset of the scopes defined during the initial authorization request.
  • The openid scope must always be included.

Note: The scope field should not be set if the client_credentials grant type is being used.

string
length ≥ 1

[Conditionally Required] The code verifier that is required for PKCE.

Required Conditions:

  • This field is required only for the authorization_code grant type if a code_challenge was specified in the original authorization request.
string
length ≥ 1

[Conditionally Required] The authorization code obtained through the authorization code flow.

Required Conditions:

  • This field should only be set if the request is using an authorization_code grant type.
uri
length between 1 and 2000

[Conditionally Required] The redirect URI that was used in the authorization request.

Required Conditions:

  • This value should only be present for the authorization_code grant type if a redirect URI was provided in the original authorization request.
string
length ≥ 1

[Conditionally Required] The refresh token that can be used to obtain a new access token.

Required Conditions:

  • This value should only be present for the refresh_token grant type.
Responses

Language
Credentials
Basic
base64
:
URL
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/json