The token endpoint is used to obtain tokens during authorization or to refresh tokens without having to go through authorization again. In each successful token response, you will receive a new id_token and a new refresh_token.
Please note!
Use the correct schema (detailed below) for the type of token request you're making. The initial token request and the refresh token requests require different security schemas and parameters.
Obtain tokens
To obtain the initial set of tokens or to reauthorize, you will need the following:
grant_typemust be set toauthorization_code.redirect_urimust be the same as your app's registeredredirect_uri.codeis the authorization code from the end-user's authentication flow. See: Get authorization code.- Security: Include Basic Auth in the header of the call. Select "Basic Auth" in Try it and use your
client_idandclient_secretas username & password.
Refresh tokens
Refresh token expiration times are set by the provider.
grant_typemust be set torefresh_token.refresh_tokenmust be set to the refresh token received in the most recent, previous obtain or refresh token call for your end-user.- Security: Include your
client_idandclient_secretin the body of the request. Remove any information from "Basic Auth" (username and password) in Try it.
Responses
Token requests return a new set of tokens. If refreshing or reauthorizing tokens, they will replace the tokens from your previous, successful obtain or refresh token call.
The id_token (JWT) is a short-lived token. It's used as the bearer token for data calls. To ensure data calls are secure, the id_token must be renewed regularly. To retrieve a new id_token, use the refresh token request. Read more about tokens.