> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hopae.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange Code for Token

Exchanges an authorization code for tokens, following the OIDC standard. PKCE is supported.

<Info>
  Send parameters as `application/x-www-form-urlencoded` and authenticate with HTTP Basic when using confidential clients.
</Info>

## Request Body

<ParamField body="grant_type" type="string" required default="authorization_code">
  Must be 'authorization\_code'.
</ParamField>

<ParamField body="code" type="string" required>
  The authorization code received after a successful verification.
</ParamField>

<ParamField body="client_id" type="string">
  Required for public clients or when not using HTTP Basic.
</ParamField>

<ParamField body="redirect_uri" type="string" required>
  Must exactly match the redirect URI used in the authorization request.
</ParamField>

<ParamField body="client_secret" type="string">
  Confidential clients include their Client Secret either via HTTP Basic (recommended) or in the form body.
</ParamField>

<ParamField body="code_verifier" type="string">
  (Optional) The PKCE code verifier. Required if a codeChallenge was provided during verification creation.
</ParamField>

## Response

<ResponseField name="access_token" type="string">
  Bearer token you can use to call the `/userinfo` endpoint.
</ResponseField>

<ResponseField name="token_type" type="string" default="Bearer">
  Always `Bearer`.
</ResponseField>

<ResponseField name="expires_in" type="number">
  Lifetime of the access token in seconds (for example, `3600`).
</ResponseField>

<ResponseField name="id_token" type="string">
  A JWT with technical, non‑PII claims (for example: `sub`, `acr`, `hopae_loa`, `iat`, `exp`, `iss`, `aud`).
  Personal claims are not included in the ID Token. Use `/userinfo` to retrieve user attributes.
</ResponseField>

<RequestExample>
  ```bash theme={null}
  curl --request POST \
    --url 'https://sandbox.connect.hopae.com/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data 'grant_type=authorization_code&code=auth_xyz&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback'
  ```
</RequestExample>

<ResponseExample>
  ```json Response theme={null}
  {
    "access_token": "eyJhbGciOiJSUzI1NiIs...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
  ```
</ResponseExample>