OAuth - Token Endpoint


The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its:

The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).

A single token endpoint may issue access tokens accepted by multiple resource servers.


  • Access Token Request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

  • Successful Access Token Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache



  • URI:
  • HTTPS: Since requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the authorization server MUST require the use of TLS when sending requests to the token endpoint.
  • HTTP Method: The client MUST use the HTTP “POST” method when making access token requests.
  • Parameters sent without a value MUST be treated as if they were omitted from the request.
  • The authorization server MUST ignore unrecognized request parameters.
  • Request and response parameters MUST NOT be included more than once.

Client Id

  • An authenticated client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint.
  • An unauthenticated client MUST send its “client_id” in the authorization_code grant_type request (to prevent itself from inadvertently accepting a code intended for a client with a different “client_id”. This protects the client from substitution of the authentication code. (It provides no additional security for the protected resource.)

Scope request


Scope response



Documentation / Reference

Powered by ComboStrap