Exchange Code for Token

curl --request POST \
  --url 'https://sandbox.connect.hopae.com/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&code=auth_xyz&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}

POST

https://sandbox.connect.hopae.com

token

curl --request POST \
  --url 'https://sandbox.connect.hopae.com/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&code=auth_xyz&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Exchanges an authorization code for tokens, following the OIDC standard. PKCE is supported.

Send parameters as application/x-www-form-urlencoded and authenticate with HTTP Basic when using confidential clients.

Request Body

grant_type

string

default:"authorization_code"

required

Must be ‘authorization_code’.

code

string

required

The authorization code received after a successful verification.

client_id

string

Required for public clients or when not using HTTP Basic.

redirect_uri

string

required

Must exactly match the redirect URI used in the authorization request.

client_secret

string

Confidential clients include their Client Secret either via HTTP Basic (recommended) or in the form body.

code_verifier

string

(Optional) The PKCE code verifier. Required if a codeChallenge was provided during verification creation.

Response

access_token

string

Bearer token you can use to call the /userinfo endpoint.

token_type

string

default:"Bearer"

Always Bearer.

expires_in

number

Lifetime of the access token in seconds (for example, 3600).

id_token

string

A JWT with technical, non‑PII claims (for example: sub, acr, hopae_loa, iat, exp, iss, aud). Personal claims are not included in the ID Token. Use /userinfo to retrieve user attributes.

curl --request POST \
  --url 'https://sandbox.connect.hopae.com/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&code=auth_xyz&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Start Authorization UserInfo

⌘I

Overview

OIDC

REST API

Exchange Code for Token

Request Body

Response

Overview

OIDC

REST API

​Request Body

​Response

Request Body

Response