The grant type the client is using to request a token. The grant type determines the parameters required by the token request.

[Conditionally Required] The unique identifier of the client.

Required Conditions:

• This value is only required for non-confidential clients that are not able to authenticate using Basic Authentication with their client ID and secret.

Allows for specifying the scopes that get associated with the access token. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional requested scope.

If this value is not provided, then the scopes associated with the issued access token will default to the scopes provided in the authorization request.

If this value is provided, the scopes listed must abide by the following requirements:

• The provided scopes must be a subset of the scopes defined during the initial authorization request.
• The openid scope must always be included.

Note: The scope field should not be set if the client_credentials grant type is being used.

[Conditionally Required] The code verifier that is required for PKCE.

Required Conditions:

• This field is required only for the authorization_code grant type if a code_challenge was specified in the original authorization request.

[Conditionally Required] The authorization code obtained through the authorization code flow.

Required Conditions:

• This field should only be set if the request is using an authorization_code grant type.

[Conditionally Required] The refresh token that can be used to obtain a new access token.

Required Conditions:

• This value should only be present for the refresh_token grant type.