Skip to main content
POST
Token Exchange

Endpoint

Content Type

Grant Types

This endpoint supports two grant types:
  1. authorization_code - Exchange authorization code for tokens
  2. refresh_token - Refresh an expired access token

Authorization Code Grant

Exchange an authorization code for access and refresh tokens.

Request Parameters

grant_type
string
required
Must be authorization_code
code
string
required
The authorization code received from /oauth2/authorize
client_id
string
required
Your agent ID (obtained during registration)
redirect_uri
string
required
Must exactly match the redirect_uri used in authorization request
code_verifier
string
required
The PKCE code verifier (OAuth 2.1 requirement)
client_secret
string
Optional for public clients. Required for confidential clients.

Example Request

Success Response

access_token
string
JWT access token for making authenticated API requests
token_type
string
Always Bearer
expires_in
number
Token lifetime in seconds (typically 3600 = 1 hour)
refresh_token
string
Long-lived token for refreshing the access token
scope
string
Space-separated list of granted scopes
Response

Refresh Token Grant

Refresh an expired access token using a refresh token.

Request Parameters

grant_type
string
required
Must be refresh_token
refresh_token
string
required
The refresh token received from a previous token response
client_id
string
required
Your agent ID
client_secret
string
Optional for public clients

Example Request

Success Response

Response
Refresh tokens are not rotated by default. The same refresh token can be used multiple times.

Error Responses

invalid_request
400
Missing or invalid required parameters
invalid_grant
401
Invalid authorization code, expired code, or PKCE verification failed
invalid_client
401
Invalid client_id or client_secret
unsupported_grant_type
400
Grant type not supported (OAuth 2.1 only supports authorization_code and refresh_token)

Common Issues

Cause: Code verifier doesn’t match the original code challengeSolutions:
  • Ensure you’re using the same verifier that generated the challenge
  • Check that the verifier is stored correctly in sessionStorage
  • Verify the SHA-256 hashing is implemented correctly
Cause: Code older than 10 minutesSolution: Restart the OAuth flow from /oauth2/authorize
Cause: Redirect URI doesn’t exactly match the one used in authorizationSolution: Ensure exact match including protocol, domain, port, and path
Cause: Refresh token expired (30 days) or revokedSolution: User must re-authenticate via /oauth2/authorize

Token Lifetime

Security Notes

  • Authorization codes are single-use and expire quickly - Always use PKCE (required by OAuth 2.1) - Store refresh tokens securely - Never expose tokens in URLs or logs

Authorization

Start the OAuth flow

User Info

Get user information with access token