The token endpoint is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application’s tokenEndpointAuthMethod
property. For authorization_code
grant, the application calls the POST /{{envID}}/as/token
endpoint to acquire the access token.
For an authorization_code
grant type in which the application’s tokenEndpointAuthMethod
is set to CLIENT_SECRET_POST
, the request does not need an Authorization
header, and the client_id
and client_secret
property values are submitted in the request body.
For a PKCE authorization request, the token request must include the code_verifier
parameter:
curl -X POST \
'https://auth.pingone.com/${{envID}}/as/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d `'grant_type=authorization_code&code={{authCode}}&client_id={{appID}}&client_secret={{appSecret}}&redirect_uri={{redirect_uri}}&code_verifier={{codeVerifier}}'
To obtain a refresh token along with an access token, the client must be configured with the refresh_token
grant type and the authorization_code
grant type. With this configuration, a refresh token is generated along with the access token. When obtaining the original access token, a refresh token is included in the response, which is tied to the client and the user session. As long as the session exists and it is not expired (30 days since the last sign on), the /{{envID}}/as/token
endpoint can be used to exchange the refresh token for a new access token and refresh token. If the openid
scope is granted, an ID token is also included.
When a new refresh token is issued, the previous refresh token is rotated to prevent token abuse, which is useful when client authentication is disabled. In addition, when a refresh token is exchanged, the activeAt
property of the corresponding session is updated. This does not extend the duration of the session, but can be used to indicate that there is activity.
To revoke a refresh token, the corresponding session must be deleted. Session termination is supported only by the resource owner using the /{{envID}}/as/signoff
endpoint or by disabling the user.
For more information about access token claims, see Access token claims.
See OpenID Connect/OAuth 2 and Token for important overview information.
Run Authorize (authorization_code) to generate an authCode
. Run Authorize (authorization_code) to find an existing authorization code.
redirect_uri
values are an application attribute. See Application Operations for information about creating a new application. Run Read One Application to find the redirect_uri
value for an existing application.
Create an application to get an appID
. See Application Operations. Run Read All Applications to find an existing application.
appSecret
values are an application attribute. Run Update Application Secret to set an application secret. Run Read Application Secret to find an existing application secret.
Property | Type | Required? |
---|---|---|
client_id |
String | Required |
client_secret |
String | Required |
code |
String | Optional |
code_verifier |
String | Optional |
grant_type |
String | Optional |
redirect_uri |
String | Required |
See the OpenID Connect/OAuth2 data model for full property descriptions.