OAuth - Token Endpoint



The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its:

The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).

A single token endpoint may issue access tokens accepted by multiple resource servers.


  • Access Token Request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


  • Successful Access Token Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache



  • URI:
  • HTTPS: Since requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the authorization server MUST require the use of TLS when sending requests to the token endpoint.
  • HTTP Method: The client MUST use the HTTP “POST” method when making access token requests.
  • Parameters sent without a value MUST be treated as if they were omitted from the request.
  • The authorization server MUST ignore unrecognized request parameters.
  • Request and response parameters MUST NOT be included more than once.

Client Id

  • An authenticated client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint.
  • An unauthenticated client MUST send its “client_id” in the authorization_code grant_type request (to prevent itself from inadvertently accepting a code intended for a client with a different “client_id”. This protects the client from substitution of the authentication code. (It provides no additional security for the protected resource.)

Scope request

See scope request


Scope response

See scope response



Documentation / Reference

Discover More
OAuth - Token Endpoint

The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its: authorization grant or refresh token. The token endpoint is used with every authorization...
Oauth - Credential

This page lists all token used in OAuth Credential Type Type Description Used to access the protected resources Used to get a access token (and eventually a refresh token ...
Oauth - Refresh token

When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again. Refresh tokens are credentials...
What is an Authorization Server in Oauth?

The Authorization Server in Oauth is one of the 4 oauth roles. It's the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. ...
What is the OAuth Authorization Code Flow?

The authorization code grant type (flow) works with an intermediate credential called a authorization code. It is a indirect and redirection-based flow that is optimized for confidential clients. The...
What is the scope in the Oauth authentication protocol

This page explains what the scope means in the Oauth authentication protocol

Share this page:
Follow us:
Task Runner