Exchange code for tokens

Client authentication can be provided either:

  1. In the request body using client_id and client_secret parameters, or
  2. Using HTTP Basic authentication with client_id as username and client_secret as password

If both are provided, Basic authentication takes precedence.

Original description: |
This endpoint supports two use cases:

  1. Authorization Code Exchange:

    • Use this when you have received an authorization code from the /authorize flow
    • Required parameters: grant_type=authorization_code, code, redirect_uri, client_id, client_secret
    • Returns both access_token and refresh_token
    • The redirect_uri must match the one used in the original /authorize request
    • The authorization code must be exchanged within 15 minutes of being generated
    • Each authorization code can only be exchanged once
  2. Refresh Token Exchange:

    • Use this to get a new access_token when your current one expires
    • Required parameters: grant_type=refresh_token, refresh_token, client_id, client_secret
    • Returns only access_token (refresh_token remains the same)
    • No redirect_uri needed for this flow

Notes:

  • Access tokens expire after 1 hour (3600 seconds)
  • Always store refresh_tokens securely - they are long-lived credentials
  • If a refresh_token becomes compromised, obtain a new authorization code through the /authorize flow
Recent Requests
Log in to see full request history
TimeStatusUser Agent
Retrieving recent requests…
LoadingLoading…
Body Params
string
required
string
required
string
string
enum
required
Allowed:
uri
string
Headers
string
enum
Defaults to application/json

Generated from available request content types

Allowed:
Response

Language
Credentials
Basic
base64
:
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/json