POST
/
token
Token
curl --request POST \
  --url https://sandbox.connect.hopae.com/token \
  --header 'Content-Type: <content-type>' \
  --data '{
  "grant_type": "<string>",
  "code": "<string>",
  "redirect_uri": "<string>",
  "client_id": "<string>",
  "code_verifier": "<string>"
}'
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUzI1NiIs..."
}
Exchange the authorization code for an access_token and id_token.

Headers

Content-Type
string
default:"application/x-www-form-urlencoded"
required
Request body must be form‑encoded.
Authorization
string
For confidential clients only. Use Basic <base64(client_id:client_secret)>.

Form Parameters

grant_type
string
default:"authorization_code"
required
Must be authorization_code.
code
string
required
The single‑use authorization code from /auth.
redirect_uri
string
required
Must exactly match the redirect_uri used at /auth.
client_id
string
Required for public clients (when not using Basic auth).
code_verifier
string
Required if PKCE was used (recommended for SPAs/native apps).

Responses

access_token
string
Bearer token for calling /userinfo.
token_type
string
default:"Bearer"
Always Bearer.
expires_in
number
Lifetime of the access token in seconds (e.g., 3600).
id_token
string
JWT describing the authentication event (iss, aud, sub, exp, iat, optional nonce, and possibly acr).

Examples

curl -X POST 'https://sandbox.connect.hopae.com/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic BASE64(client_id:client_secret)' \
  -d 'grant_type=authorization_code&code=abc123&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback'

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUzI1NiIs..."
}