Token Endpoint
Exchange various types of credentials for access tokens, ID tokens, and refresh tokens. This endpoint is the core of OAuth 2.0 token exchange and supports multiple grant types.
Supported Grant Types:
- authorization_code - Exchange authorization code for tokens (Authorization Code Flow)
- authorization_code + code_verifier - Exchange with PKCE (Authorization Code Flow with PKCE)
- refresh_token - Get new access token using refresh token
- client_credentials - Machine-to-machine authentication
- password - Resource Owner Password flow
- urn:ietf:params:oauth:grant-type:device_code - Device authorization flow
- http://auth0.com/oauth/grant-type/mfa-otp - MFA verification with OTP
- http://auth0.com/oauth/grant-type/mfa-oob - MFA verification with OOB
- http://auth0.com/oauth/grant-type/mfa-recovery-code - MFA verification with recovery code
- http://auth0.com/oauth/grant-type/passwordless/otp - Passwordless authentication
- urn:ietf:params:oauth:grant-type:token-exchange - Token exchange for native social
The request body parameters vary based on the grant_type. See the examples below for each flow.
Documentation Index
Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
The access token received from the authorization server in the OAuth 2.0 flow.
Headers
A DPoP proof JWT for enhanced security. Required only if your application uses Demonstrating Proof-of-Possession (DPoP).
Body
- Authorization Code
- Authorization Code (PKCE)
- Refresh Token
- Client Credentials
- Resource Owner Password
- Device Authorization
- MFA with OTP
- MFA with OOB
- MFA with Recovery Code
- Passwordless with OTP
- Token Exchange (Native Social)
Authorization Code Grant - Exchange an authorization code for tokens. Used by server-side web applications that can securely store a client secret.
Must be 'authorization_code'
authorization_code The authorization code received from the authorization endpoint
Your application's Client ID
The same redirect_uri used in the authorization request. Must match exactly.
Your application's Client Secret. Required for confidential clients.
The unique identifier of the target API you want to access
A JWT signed with your client secret or private key (for Private Key JWT authentication)
Must be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' when using client_assertion
urn:ietf:params:oauth:client-assertion-type:jwt-bearer Response
Successful token exchange. Returns access token and optionally ID token and refresh token.
Successful token response containing access token and optionally ID token and refresh token
The access token issued by the authorization server. Use this token to access protected resources (APIs).
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMzQ1In0..."
The type of the token issued. Always 'Bearer' for Auth0.
Bearer "Bearer"
The lifetime in seconds of the access token. After this time, the token will expire and can no longer be used.
86400
The refresh token which can be used to obtain new access tokens. Only returned if 'offline_access' scope was requested.
"v1.MRHbz1VqR_y42v..."
The ID Token containing user profile information. Only returned if 'openid' scope was requested. This is a JWT containing user claims.
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
The scopes granted by the authorization server. May differ from requested scopes.
"openid profile email"