Token Endpoint
Overview
The Token Endpoint is used by clients to exchange an authorization code, refresh tokens, or client credentials for OAuth 2.0 tokens (Access Token, Refresh Token, and optionally an ID Token).
It is typically called by back-end components (not the browser) using HTTPS POST requests.
Endpoint
The endpoint is advertised in the authorization_endpoint in the metadata exposed by the discovery endpoint and typically is:
POST https://[BASE_URL]/connect/token
Parameters (form-encoded)
| Parameter | Required | Description |
|---|---|---|
grant_type |
Yes | The grant type (authorization_code, refresh_token, client_credentials, etc.). |
code |
Required for authorization_code |
The authorization code received from the Authorization Endpoint. |
redirect_uri |
Required for authorization_code |
Must match the original redirect_uri used in the request. |
client_id |
Required (if not using client authentication header) | The client identifier. |
client_secret |
Required (for confidential clients) | The client’s secret. |
code_verifier |
Required for PKCE | The original code verifier for PKCE-enabled flows. |
refresh_token |
Required for refresh_token grant |
The refresh token issued earlier. |
Response
Successful responses are JSON objects containing issued tokens, for example:
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "8xLOxBtZp8",
"id_token": "eyJhbGciOiJSUzI1..."
}Usage (Authorization Code Flow with PKCE)
-
Obtain Authorization Code:
From the Authorization Endpoint. -
Send Token Request:
HTTP POST /token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
grant_type=authorization_code&
code=SplxlOBeZQQYbYS6WxSbIA&
redirect_uri=https%3A%2F%2Frp.example.com%2Fcallback&
code_verifier=abcdef123456- Receive Tokens:
The IdP responds with an Access Token, ID Token (if OIDC), and optionally a Refresh Token.
Security Considerations
- Never expose
client_secretin public clients (use PKCE instead). - Validate all tokens received (signature, expiration, audience, nonce).
Related Endpoints
- Authorization Endpoint – Provides authorization codes.
- End Session Endpoint – To terminate sessions.
- Introspection Endpoint – To validate Access Tokens.