# OAuth token endpoint

Accepts application/x-www-form-urlencoded or application/json.

authorization_code grant: grant_type, code, code_verifier, client_id, redirect_uri

refresh_token grant: grant_type, refresh_token, client_id

Endpoint: POST /public/v1/oauth/token/
Version: 1.0.0

## Request fields (application/json):

  - `grant_type` (string, required)
    OAuth 2.0 grant type. Use authorization_code for desktop/CLI apps (requires PKCE), or refresh_token to refresh an expired access token.
    Enum: "authorization_code", "refresh_token"

  - `code` (string)
    The authorization code received in the redirect. Required for authorization_code grant.

  - `code_verifier` (string)
    PKCE code verifier. The random string used to generate the code_challenge. Required for authorization_code grant.

  - `client_id` (string, required)
    The client_id returned during client registration. Required for both grant types.

  - `redirect_uri` (string)
    Must match the redirect_uri used in the authorization request. Required for authorization_code grant.

  - `refresh_token` (string)
    The refresh token from a previous token response. Required for refresh_token grant.

  - `resource` (string)
    RFC 8707 resource indicator. If sent, must match the resource from the authorization request.

## Response 200 fields (application/json):

  - `access_token` (string, required)
    Bearer token for authenticating API requests.

  - `refresh_token` (string, required)
    Token used to obtain a new access token when the current one expires.

  - `token_type` (string, required)
    Always Bearer.

  - `expires_in` (integer, required)
    Lifetime of the access token in seconds.

  - `scope` (string, required)
    Space-separated list of scopes granted to this token.


## Response 400 fields

## Response 422 fields