Skip to main content
POST
Handles two grants, selected by the grant_type body field: authorization_code (with mandatory PKCE) and refresh_token (with rotation and reuse detection). Accepts both application/json and application/x-www-form-urlencoded. Prefer form encoding, since that’s what most OAuth libraries send by default. Access tokens are JWTs signed with ES256, valid for 900 seconds. Refresh tokens are opaque strings, valid for 60 days from whenever they were last issued, and rotate on every use.

PKCE

Before starting the authorization request, generate:
  • code_verifier: a high-entropy random string, 43–128 characters, from the unreserved character set (A-Z, a-z, 0-9, -, ., _, ~). Keep it client-side only.
  • code_challenge: the base64url-encoded SHA-256 hash of code_verifier, sent during authorization.

Authorization code grant

Body Parameters

grant_type
string
required
Must be "authorization_code".
client_id
string
required
code
string
required
The code from the /oauth/authorize callback. Single-use: redeeming it twice fails with invalid_grant. Expires 10 minutes after it was issued.
redirect_uri
string
required
Must exactly match the redirect_uri used in the authorization request.
code_verifier
string
required
The original value that code_challenge was derived from.

Body Parameters

grant_type
string
required
Must be "refresh_token".
client_id
string
required
refresh_token
string
required
scope
string
Optionally narrow the scope of the new access token. Must be a subset of what the grant already has. You can’t use this to escalate scope.

Errors