Token endpoints for exchanging authorization codes for tokens and refreshing access tokens. Supports the authorization_code and refresh_token grant types.
Base URL: https://idp.authpi.com — see the IdP API overview for the
supported flows, or try these endpoints in the interactive reference.
POST/{issuer_id}/tokenToken Endpoint
Exchanges grants for access tokens (RFC 6749).
POST /{issuer_id}/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code={authorization_code}
&redirect_uri={redirect_uri}
&client_id={client_id}
&code_verifier={code_verifier}
POST /{issuer_id}/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token={refresh_token}
&client_id={client_id}
Token Rotation: A new refresh token is issued with each refresh request. The previous refresh token is invalidated.
For M2M clients (c_ prefix) and agents (agt_ prefix):
POST /{issuer_id}/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id={client_id}
&client_secret={client_secret}
&scope={scope}
&resource={audience}
Or use HTTP Basic auth with client_id:client_secret. Returns an access token only — no refresh token or ID token.
client_id and client_secret in the request bodyclient_id and use PKCE
Content type: application/x-www-form-urlencoded
| Property | Type | Required | Description |
|---|---|---|---|
grant_type | authorization_code | refresh_token | client_credentials | Required | The type of grant being exchanged. Use 'authorization_code' for initial token exchange, 'refresh_token' for token renewal, 'client_credentials' for machine-to-machine auth. |
code | string | Optional | The authorization code received from the authorize endpoint. Required when grant_type is 'authorization_code'. |
refresh_token | string | Optional | The refresh token from a previous token response. Required when grant_type is 'refresh_token'. |
client_id | string | Optional | Your application's client ID. Required for public clients; optional for confidential clients using HTTP Basic auth. |
client_secret | string | Optional | Your application's client secret. Required for confidential clients if not using HTTP Basic auth. |
redirect_uri | string | Optional | Must exactly match the redirect_uri used in the authorization request. Required for authorization_code grant. |
scope | string | Optional | Space-separated list of scopes. For refresh_token grants, must be a subset of the originally granted scopes. |
code_verifier | string | Optional | The PKCE code verifier that corresponds to the code_challenge sent in the authorization request. Required if PKCE was used. |
resource | string | Optional | Resource indicator (RFC 8707). Sets the access token audience. For client_credentials grants. |
| Code | Description | Schema |
|---|---|---|
| 200 | Success - Tokens issued successfully. | TokenResponse |
| 400 | Bad Request - The request is malformed or missing required parameters. | OAuthError |
| 401 | Unauthorized - Authentication is required or has failed. | OAuthError |
| 403 | Forbidden - The authenticated client or user lacks permission for this operation. | OAuthError |
| 404 | Not Found - The requested resource does not exist. | OAuthError |
| 422 | Unprocessable Entity - The request syntax is correct but the data cannot be processed. | OAuthError |
| 429 | Too Many Requests - Rate limit exceeded. | OAuthError |
| 500 | Internal Server Error - An unexpected error occurred. | OAuthError |