Token Endpoint
The interested party must make a token request presenting their authorization code (Authorization Code) to the endpoint using the appropriate parameters in query string format.
URLs
| Method | URL | Action | Description |
|---|---|---|---|
| POST | /api/token/v2 | Register | Exchanges the authorization code for tokens (id_token and access_token) |
Production:
{security-producao}/api/token/v2Staging:
{security-homologacao}/api/token/v2Parameters
| Parameter | Required | Description | Example |
|---|---|---|---|
grant_type | Yes | Grant type | authorization_code |
client_id | Yes | Client ID | exampleClient |
client_secret | Yes | Client secret | ********** |
code | Yes | Received authorization code | 50b98752-ac5e-4bf3-a59b-7456f9f58685 |
Request Example
Production:
POST {security-producao}/api/token/v2?grant_type=authorization_code&client_id=exampleClient&client_secret=**********&code=******Staging:
POST {security-homologacao}/api/token/v2?grant_type=authorization_code&client_id=exampleClient&client_secret=**********&code=******Success Response
The request response will be a JSON in the format of the example below:
json
{
"id_token": "qbcd.1234.xyz",
"access_token": "44f5380d-8caa-442c-a1ad-11a1b211bf49",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "12c270b0-5512-40e8-ci0c-f67d50489486",
"scope": "profile"
}Response Fields
| Field | Description |
|---|---|
id_token | JWT with user-related information |
access_token | Not supported |
token_type | Token type (always "Bearer") |
expires_in | Remaining validity time in seconds |
refresh_token | Not supported |
scope | User permissions granted to the client |
Possible Errors
- "The request is missing a parameter": Missing required parameters (client_id, client_secret, grant_type, code)
- "The informed Client ID is invalid": Invalid Client ID
- "The informed Client Secret does not match the correct secret": Incorrect Client Secret
- "The informed authorization code is invalid": Invalid or already used authorization code
- "The informed Grant Type is invalid or not implemented": Invalid or not implemented Grant Type
Implementation Example
javascript
async function exchangeCodeForToken(code) {
const response = await fetch('{security-producao}/api/token/v2', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: 'exampleClient',
client_secret: 'your_client_secret',
code: code
})
});
const tokens = await response.json();
if (tokens.id_token) {
validateIdToken(tokens.id_token);
}
}Next Step
After receiving the tokens, you must validate the ID Token before using it.