/token
Exchange authorization artifacts for tokens or obtain tokens using non-browser grant types.
Prerequisites
- One supported grant type
- Application registration aligned to that grant type
Method
POST /token
Authentication Requirements
- Public clients: typically no client secret, but PKCE is required for authorization code exchange.
- Confidential clients: authenticate with
client_secret_basicorclient_secret_post.
Request Fields
| Name | Required | Description |
|---|---|---|
grant_type or grantType | Yes | authorization_code, client_credentials, refresh_token, device_code, or ciba |
client_id or clientId | Yes | Application identifier |
client_secret or clientSecret | Conditional | Required for confidential clients and grants that require client authentication |
code | Conditional | Authorization code |
code_verifier or codeVerifier | Conditional | PKCE verifier for code exchange |
redirect_uri or redirectUri | Conditional | Redirect URI used during authorization |
refresh_token or refreshToken | Conditional | Refresh Token value |
device_code or deviceCode | Conditional | Device code from /device_authorization |
auth_req_id or authReqId | Conditional | CIBA authentication request ID |
scope | Optional | Requested scopes depending on grant |
Example
Example Request
curl -X POST https://localhost:5001/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-u "orders-worker:replace-with-real-secret" \
-d "grant_type=client_credentials&scope=orders.read"Example Response
{
"isSuccess": true,
"data": {
"accessToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMjYtMDMtMTYifQ...",
"tokenType": "Bearer",
"expiresIn": 3600
}
}Error Responses
400or domain-level validation errors for unsupported grant requests- Invalid client or invalid secret for confidential clients
- Invalid or expired authorization code
- Invalid or revoked Refresh Token
- Authorization pending or expired device code for device flow
- Too many requests when the client rate-limit policy is exceeded
Common Pitfalls
- Mixing confidential-client and public-client request shapes.
- Sending the wrong
redirectUrifor authorization code exchange. - Forgetting
offline_accessin the initial authorization request and then expecting a Refresh Token. - Sending two client authentication methods in the same request.
Troubleshooting
- If a client library sends form encoding, TokenIDP accepts standard snake_case form fields.
- If token exchange fails only in production, verify the Application's allowed grant types and secret rotation state.