Issue an OAuth 2.0 access token

POST 
/oauth2/token

Exchanges an authorization code, refresh token, or client credentials for an access token (and optionally a refresh token and ID token for OpenID Connect clients). The grant_type parameter selects the exchange:

• authorization_code — exchanges a code received at the authorization endpoint; requires code and redirect_uri, and code_verifier for PKCE clients.
• refresh_token — exchanges a refresh token for a new access token; requires refresh_token.
• client_credentials — issues a token for the client itself without end-user involvement; does not require code or refresh_token.
• urn:ietf:params:oauth:grant-type:jwt-bearer (RFC 7523) — exchanges a JWT assertion for an access token; requires assertion.

Client authentication is performed using one of the configured methods: HTTP Basic (client_id and client_secret in the Authorization header), POST body parameters (client_id + client_secret), or JWT client assertions (client_assertion + client_assertion_type). Refer to the introduction section for details on how to configure this use case.

Request

Header Parameters

Authorization string

HTTP Basic authentication header for confidential client authentication. Credentials are client_id:client_secret Base64-encoded.

application/x-www-form-urlencoded

Body

grant_type stringrequired

The grant type. One of authorization_code, refresh_token, client_credentials, or urn:ietf:params:oauth:grant-type:jwt-bearer.

code string

The authorization code received from the authorization endpoint. Required for the authorization_code grant.

redirect_uri uri

Must exactly match the redirect_uri used in the original authorization request. Required for the authorization_code grant only if redirect_uri was included in the original authorization request (RFC 6749 Section 4.1.3).

client_id string

The client identifier. Required for public clients; optional for confidential clients authenticating via the Authorization header.

client_secret string

The client secret. POST body credential transmission is NOT RECOMMENDED by RFC 6749 Section 2.3.1; HTTP Basic authentication via the Authorization header is preferred. Only for clients that cannot use HTTP Basic authentication.

refresh_token string

The refresh token previously issued by the token endpoint. Required for the refresh_token grant.

scope string

Space-delimited list of requested scopes. Optional for most grants. For the refresh_token grant, this parameter is ignored: nevisAuth always issues the new token with the same scopes as the original grant.

code_verifier string

(PKCE) The original high-entropy random string whose hash was sent as code_challenge at the authorization endpoint. Required for clients that used PKCE.

assertion string

(JWT Bearer grant) The JWT assertion representing the subject on whose behalf the token is requested. Required for the urn:ietf:params:oauth:grant-type:jwt-bearer grant.

client_assertion string

JWT used to authenticate the client itself. Used together with client_assertion_type as an alternative to client_secret.

client_assertion_type string

Indicates the type of the client_assertion. Must be urn:ietf:params:oauth:client-assertion-type:jwt-bearer when using JWT client authentication.

resource uri

URI of the target resource or service the access token is intended for (RFC 8707). When present, the server derives the token audience from the resource metadata. May be repeated to request access to multiple resources.

Responses

200

Token issued successfully

application/json

Schema

Schema

access_token stringrequired

The issued access token. Clients use this to access protected resources.

token_type stringrequired

The type of the token. Always Bearer for nevisAuth.

expires_in int64

Lifetime of the access token in seconds.

refresh_token string

Refresh token issued alongside the access token. Only present when the offline_access scope was granted and the grant type supports it.

scope string

Space-delimited list of scopes actually granted. Omitted if identical to the requested scope.

id_token string

Signed JWT identity token (OpenID Connect). Only present when openid scope was requested.

Example (from schema)

{
  "access_token": "eyJhbGciOiJSUzI1NiJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "string",
  "scope": "string",
  "id_token": "string"
}

400

Invalid request or unsupported grant type

application/json

Schema

Schema

error stringrequired

A single ASCII error code identifying the error. Common values include invalid_request, invalid_client, invalid_grant, unauthorized_client, unsupported_grant_type, and invalid_scope.

error_description string

Human-readable ASCII text providing additional information about the error. Intended to assist the client developer and is not meant to be shown to the end user.

error_uri string

A URI identifying a human-readable web page with information about the error.

Example (from schema)

{
  "error": "invalid_grant",
  "error_description": "The authorization code has expired.",
  "error_uri": "https://example.com/errors/invalid_grant"
}

401

Client authentication failed

application/json

Schema

Schema

error stringrequired

A single ASCII error code identifying the error. Common values include invalid_request, invalid_client, invalid_grant, unauthorized_client, unsupported_grant_type, and invalid_scope.

error_description string

Human-readable ASCII text providing additional information about the error. Intended to assist the client developer and is not meant to be shown to the end user.

error_uri string

A URI identifying a human-readable web page with information about the error.

Example (from schema)

{
  "error": "invalid_grant",
  "error_description": "The authorization code has expired.",
  "error_uri": "https://example.com/errors/invalid_grant"
}

Loading...