Skip to main content
POST
Exchanges an authorization code for tokens, following the OIDC standard.
Send parameters as application/x-www-form-urlencoded and authenticate with HTTP Basic when using confidential clients.

Request Body

grant_type
string
default:"authorization_code"
required
Must be ‘authorization_code’.
code
string
required
The authorization code received after a successful verification.
client_id
string
Required for public clients or when not using HTTP Basic.
redirect_uri
string
required
Must exactly match the redirect URI used in the authorization request.
client_secret
string
Confidential clients include their Client Secret either via HTTP Basic (recommended) or in the form body.

Response

access_token
string
Bearer token you can use to call the /userinfo endpoint.
token_type
string
default:"Bearer"
Always Bearer.
expires_in
number
Lifetime of the access token in seconds (for example, 3600).
id_token
string
A JWT with technical, non‑PII claims (for example: sub, acr, hopae_loa, iat, exp, iss, aud). Personal claims are not included in the ID Token. Use /userinfo to retrieve user attributes.