Skip to main content

Token Endpoint

Exchange authorization code for access token OR issue client credentials token.

Quick Navigation

Endpoint

POST /oauth/token

Headers

HeaderRequiredDescription
Content-TypeYesapplication/x-www-form-urlencoded

Form Parameters (Authorization Code Grant)

ParameterTypeRequiredDescription
grant_typestringYesMust be "authorization_code"
codestringYesAuthorization code from /authorize endpoint
redirect_uristringYesMust match the redirect_uri used in authorization
code_verifierstringNoPKCE code verifier (required if PKCE was used)
client_idstringYesOAuth application client ID
client_secretstringYesOAuth application client secret

Form Parameters (Client Credentials Grant)

ParameterTypeRequiredDescription
grant_typestringYesMust be "client_credentials"
client_idstringYesOAuth application client ID
client_secretstringYesOAuth application client secret
scopestringNoSpace-separated list of requested scopes

Response

Success (200)

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "scope": "read write"
}

Error (400)

{
  "error": "invalid_grant",
  "error_description": "Invalid authorization code"
}

Features

  • Supports Authorization Code grant
  • Supports Client Credentials grant
  • Validates PKCE code verifier if used
  • Returns access token and refresh token
  • Token expiration follows organization settings

Example - Authorization Code

curl -X POST "https://api.rivergen.com/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=https://myapp.com/callback&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code_verifier=CODE_VERIFIER"

Example - Client Credentials

curl -X POST "https://api.rivergen.com/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&scope=read write"