Skip to main content

Authorization Code

This section describes how to procure an access token for authorization using the authorization code as a grant type.

Resource Informations

Requires authentication?YesClientID is required for this authentication
Rate limited?NoRate limited indicate how many requests a client can make in a time period


Request headers

Content-Typeapplication/x-www-form-urlencodedMethod for sending name-value pairs data to the server, such as the information you typed into a HTML form.

HTTP request

POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token

API requests must be made over https. Calls made over plain http will fail.

Request body (*Required)

Parameter NameTypeDescription
grant_type*StringThe grant type should be authorization_code.
client_id*StringThe Client ID for which the access token is to be generated.
code*StringUnique code generated after the final authorization point. You must first acquire an authorization code before requesting an access token, if you are utilizing the authorization code grant type flow Click Here.
redirect_uri*StringEnter the final authorization point for your authorization server.

Sample Request

curl --location --request POST 'https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=test' \
--data-urlencode 'code=fe5a6d3f-6f49-4fee-9063-b07a2fb8175b.38572ecd-5afa-4a20-8ca9-271716fd0c0b.7de9afe4-5e3b-4f62-a81c-57f0f71c0a9d' \
--data-urlencode ''


Parameter NameTypeDescription
access_tokenStringThe newly created access token.
expires_inIntegerValidity of the access token in seconds.
refresh_expires_inIntegerValidity of the refresh token in seconds.
refresh_tokenStringThe new refresh token.
token_typeStringIndicates access token type.
not-before-policyIntegernot-before policy ensures that any tokens issued before that time become invalid
session_stateIntegerThe Client ID salted cryptographic hash, the root URL, and the browser state are all included in the session state value. Basically session_state value is used to monitor end user sessions.
scopeStringThe scope requested for the token.

Sample Response

"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String

Response Status Information

Status CodeStatusMessage
400Bad RequestCode not valid
401UnauthorizedHTTP 401 Unauthorized
404Not FoundRealm does not exist