/oauth/tokenOAuth 2.0 token endpoint. Supports authorization_code, refresh_token, client_credentials, and urn:ietf:params:oauth:grant-type:device_code grant types. Supports private_key_jwt client authentication and DPoP. Returns flat JSON (no code/message envelope). References: RFC 6749 §4.1.3 (Authorization Code Grant), §4.3 (Resource Owner Password), §4.4 (Client Credentials), RFC 6749 §5.1-5.2, RFC 7636 (PKCE), RFC 8628 §3.4 (Device Code).
| Name | In | Type | Required | Default | Example | Constraints | Description |
|---|---|---|---|---|---|---|---|
grant_type |
formData |
string |
Yes | Grant type (authorization_code/refresh_token/client_credentials/urn:ietf:params:oauth:grant-type:device_code) | |||
code |
formData |
string |
No | Authorization code (required for authorization_code) | |||
redirect_uri |
formData |
string |
No | Redirect URI (required for authorization_code) | |||
client_id |
formData |
string |
No | Client ID | |||
client_secret |
formData |
string |
No | Client secret | |||
refresh_token |
formData |
string |
No | Refresh token (required for refresh_token) | |||
code_verifier |
formData |
string |
No | PKCE Code Verifier (required for public client) | |||
device_code |
formData |
string |
No | Device code (required for device_code) | |||
client_assertion_type |
formData |
string |
No | Client assertion type (private_key_jwt) | |||
client_assertion |
formData |
string |
No | Client assertion JWT (private_key_jwt) |
| Status | Description | Schema |
|---|---|---|
| 200 | Token response (contains access_token, refresh_token, id_token, etc.) | dto.OAuthTokenResponse |
| 400 | unsupported_grant_type: Unsupported grant type. See RFC 6749 §5.2. | dto.OAuthErrorResponse |
| 401 | invalid_client: Client authentication failed. See RFC 6749 §5.2. | dto.OAuthErrorResponse |
| 429 | rate_limit_exceeded: Request rate too high, please retry later | dto.OAuthErrorResponse |
| 500 | server_error: Internal error in authorization server. See RFC 6749 §5.2. | dto.OAuthErrorResponse |
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
actions |
array of string |
No | ['["list_accounts"', '"read_balances"]'] |
Operation | |
constraints |
object |
No | Extension constraints | ||
data_types |
array of string |
No | ['["account_details"', '"balances"]'] |
Data type | |
identifier |
string |
No | account-12345 |
Identifier | |
locations |
array of string |
No | ['["https://example.com/accounts"]'] |
Location | |
type |
string |
No | account_information |
Grant type |
OAuth standard error response
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
error |
string |
No | invalid_request |
Error code | |
error_description |
string |
No | Missing required parameter |
Error description | |
error_uri |
string |
No | https://docs.example.com/errors |
Error URI | |
state |
string |
No | state-123 |
Status |
OAuth token response
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
access_token |
string |
No | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
Access token | |
authorization_details |
array of |
No | RAR authorization details | ||
dpop_access_token_bound |
boolean |
No | Access token DPoP binding confirmation (RFC 9449) | ||
dpop_signing_alg |
string |
No | DPoP signing algorithm (RFC 9449) | ||
expires_in |
integer |
No | 3600 |
Expires in seconds | |
id_token |
string |
No | eyJhbGci... |
OIDC ID token | |
refresh_token |
string |
No | rt_abc123 |
Refresh token | |
scope |
string |
No | openid profile email |
Scope | |
token_type |
string |
No | Bearer |
Token type |