Create Access Token
Procure access token from the provider for authorization.
Resource Informations
| Name | Value |
|---|---|
| Requires authentication? | No |
| Rate limited? | No |
Request headers
| Key | Value |
|---|---|
| Content-Type | application/x-www-form-urlencoded |
HTTP request
POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token
note
API requests must be made over https. Calls made over plain http will fail.
- Password
- Authorization_Code
- Client_Credentials
- Refresh_Token
- Implicit
Type -> password
Generating access token with grant_type as password.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| grant_type* | String | The grant type should be password. |
| username* | String | The username for which the token needs to be generated. |
| password* | String | Password corresponding to the username. |
| client_id* | String | The Client ID for which the access token is to be generated. |
| client_secret | String | Secret corresponding to the given clientID. Secret will be available only for the clients with the configuration Authorization Enabled= ON & if the access type selected is confidential during client creation. This is an optional parameter. |
{
"grant_type" : "password",
"username": "testuser",
"password": "abc123",
"client_id": "demo",
"client_secret": "31d17a05-8874-23i2-b398-318b454eegb0a"
}
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | Integer | Indicates access token type. |
| not-before-policy | Integer | Pushing new not-before policy would also mean that new public keys from {project_name} are forced to be retrieved from the program |
| session_state | Integer | The session state value is based on the Client ID salted cryptographic hash, the root URL, and the browser state. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String
}
Type -> authorization_code
Generating access token with grant_type as authorization_code.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| grant_type* | String | The grant type should be authorization_code. |
| client_id* | String | The Client ID for which the access token is to be generated. |
| code* | String | Unique code generated after the final authorization point. |
| redirect_uri* | String | Enter the final authorization point for your authorization server. |
Sample Request
{
"grant_type": "authorization_code",
"client_id": "testuser",
"code": "86c2df40-47b5-4d5d-a83b-0e109868cfba.35d115b7-04f9-42",
"redirect_uri": "https%3A%2F%2dtest.com"
}
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | Integer | Indicates access token type. |
| not-before-policy | Integer | Pushing new not-before policy would also mean that new public keys from {project_name} are forced to be retrieved from the program |
| session_state | Integer | The session state value is based on the Client ID salted cryptographic hash, the root URL, and the browser state. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String
}
Type -> client_credentials
Generating access token with grant_type as client_credentials.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| grant_type* | String | The grant type should be client_credentials. |
| client_id* | String | The Client ID for which the access token is to be generated. NOTE: Make sure the Service Accounts Enabled option is switched to ON for the respective client. |
| client_secret* | String | Secret corresponding to the given clientID. Secret will be available only for the clients with the configuration Authorization Enabled= ON & if the access type selected is confidential during client creation. |
Sample Request
{
"grant_type" : "client_credentials",
"client_id": "demo",
"client_secret": "31d17a05-8874-23i2-b398-318b454eegb0a"
}
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | Integer | Indicates access token type. |
| not-before-policy | Integer | Pushing new not-before policy would also mean that new public keys from {project_name} are forced to be retrieved from the program |
| session_state | Integer | The session state value is based on the Client ID salted cryptographic hash, the root URL, and the browser state. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String
}
Type -> refresh_token
Generating access token with grant_type as refresh_token.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| grant_type* | String | The grant type should be refresh_token. |
| refresh_token* | String | Provide the refresh token which is generated for the client. |
| client_id* | String | The Client ID for which the access token is to be generated. |
| client_secret* | String | Secret corresponding to the given clientID. Secret will be available only for the clients with the configuration Authorization Enabled= ON & if the access type selected is confidential during client creation. |
Sample Request
{
"grant_type" : "refresh_token",
"refresh_token" : "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2",
"client_id": "demo",
"client_secret": "31d17a05-8874-23i2-b398-318b454eegb0a"
}
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | Integer | Indicates access token type. |
| not-before-policy | Integer | Pushing new not-before policy would also mean that new public keys from {project_name} are forced to be retrieved from the program |
| session_state | Integer | The session state value is based on the Client ID salted cryptographic hash, the root URL, and the browser state. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String
}
Type -> implicit
Generating access token with grant_type as implicit.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| Server Template* | List | Select the server template where the user needs to authorize. |
| Partner ID* | String | Provide the Partner ID where the user needs to authorize. |
| Redirect URL* | String | Provide the URL where the user needs to be redirected on execution. |
| client_id* | String | The Client ID for which the access token is to be generated. |
| scope | String | The scope requested for the token. |
| Nonce | String | Autogenerated UUID. |
| Response Type* | String | Select the type of response that has to be received on execution. |
| Response Mode* | String | Select the type how the Authorization Server should return the result parameters from the Authorization Endpoint. |
Sample Request
{
"server template" : "custom",
"partner id" : "demo1",
"client_id": "demo",
"redirect url": "https%3A%2F%2dtest.com",
"scope": "openid",
"nonce": "P3dcYMhyfwZs",
"response type": "token",
"response mode": "form post",
}
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | Integer | Indicates access token type. |
| not-before-policy | Integer | Pushing new not-before policy would also mean that new public keys from {project_name} are forced to be retrieved from the program |
| session_state | Integer | The session state value is based on the Client ID salted cryptographic hash, the root URL, and the browser state. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String
}
Response Status Information
| Status Code | Status | Message |
|---|---|---|
| 200 | OK | OK. |
| 401 | Unauthorized | HTTP 401 Unauthorized. |