Endpoint /oauth/token

POST https://example.com/oauth/token

POST

The token endpoint is used to programmatically request access tokens. It supports the "authorization_code", "client_credentials" and "refresh_token" types.

Examples

This sample requests an access token by sending the authorization code to the "oauth/authorize" endpoint. The return value is a valid access token object.

# Request:
curl --request POST 'https://trial.dsserver.io/oauth/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --header 'Authorization: Basic ZHNzZXJ2ZXIuWkVid0tDWTNpZFV1TDBxYWVCZUs4WTBhSjVGRElTMzY6NGdLMFlKMDRNM0g5MTM2bU95OHU1SmRBc1NuT3RYZFo=' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'redirect_uri=https://trial.dsserver.io' \
    --data-urlencode 'client_id=yourclientid' \
    --data-urlencode 'client_secret=yourclientsecret'

# Response:
{
    "access_token": "nmZ80Zn2R0P2AbS149E31IUHd5aZgB9T",
    "token_type": "Bearer",
    "expires_in": "3600"
}

Request Payload

Type Value
TokenData The parameters of the TokenData object must be sent using the "application/x-www-form-urlencoded" format with a character encoding of UTF-8 in the HTTP request body payload.

TokenData

Name Type Value Optional
grant_type String The grant type of the token request. Supported values are "authorization_code", "client_credentials" and "refresh_token". no
code String The authorization code for "authorization_code". no
redirect_uri String The redirect URI must exactly match one of the allowed redirect URIs for that client. no
client_id String The identifier of the client named ClientID. no
client_secret String The secret of the client named ClientSecret. no
refresh_token String The refresh token (required for "refresh_token" grant type). no
scope String The scope of the request. no

Success Response

Status Description
200 On success, the HTTP status code in the response header is 200 (OK). It returns a valid access token object.

Error Response

Status Description
401 A 401 (Unauthorized) is returned, if the user is not authorized.
400 A 400 (Bad Request) is returned, if the redirect URI is invalid.
400 A 400 (Bad Request) is returned, if the grant type is not supported.