Exchange authorization code or refresh token for access token
OAuth
Exchange Token
Supports both application/json and application/x-www-form-urlencoded. Use grant_type=authorization_code to exchange an auth code, or grant_type=refresh_token to refresh an expired access token.
POST
Exchange authorization code or refresh token for access token
client_id and client_secret must be passed in the request body. Basic Auth header is not supported.Usage
1. Exchange Authorization Code for Token
After the user approves on the consent page, yourredirect_uri receives a code parameter. Exchange it for an access token:
2. Refresh an Expired Token
Access tokens expire after 1 hour. Use the refresh token to get a new token pair:Common Errors
| Error | Cause |
|---|---|
Missing client credentials | Request body missing client_id or client_secret |
Invalid client credentials | client_id not found or client_secret mismatch |
Invalid or expired authorization code | Auth code expired (5 min TTL) or already used |
redirect_uri mismatch | redirect_uri doesn’t match the one from the authorization request |
Invalid or expired refresh token | Refresh token invalid, expired (90 days), or already rotated |
Body
OAuth grant type
Available options:
authorization_code, refresh_token Your application UUID
Example:
"your-app-uuid"
Your application secret (plaintext)
Authorization code from the callback redirect (required when grant_type=authorization_code)
Must exactly match the redirect_uri used in the authorization request (required when grant_type=authorization_code)
Example:
"https://your-app.com/callback"
Refresh token from a prior token response (required when grant_type=refresh_token)

