Skip to main content
Version: 4.18.1

Create Access Token

Procure access token from the provider for authorization.

Resource Informations

Requires authentication?No
Rate limited?No

Request headers


HTTP request

POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token

API requests must be made over https. Calls made over plain http will fail.

Type -> password

Generating access token with grant_type as password.

Request body (*Required)

Parameter NameTypeDescription
grant_type*StringThe grant type should be password.
username*StringThe username for which the token needs to be generated.
password*StringPassword corresponding to the username.
client_id*StringThe Client ID for which the access token is to be generated.
client_secretStringSecret corresponding to the given clientID. Secret will be available only for the clients with the configuration Authorization Enabled= ON & if the access type selected is confidential during client creation. This is an optional parameter.
"grant_type" : "password",
"username": "testuser",
"password": "abc123",
"client_id": "demo",
"client_secret": "31d17a05-8874-23i2-b398-318b454eegb0a"


Parameter NameTypeDescription
access_tokenStringThe newly created access token.
expires_inIntegerValidity of the access token in seconds.
refresh_expires_inIntegerValidity of the refresh token in seconds.
refresh_tokenStringThe new refresh token.
token_typeIntegerIndicates access token type.
not-before-policyIntegerPushing new not-before policy would also mean that new public keys from {project_name} are forced to be retrieved from the program
session_stateIntegerThe session state value is based on the Client ID salted cryptographic hash, the root URL, and the browser state.
scopeStringThe scope requested for the token.

Sample Response

"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String

Response Status Information

Status CodeStatusMessage
401UnauthorizedHTTP 401 Unauthorized.