Autional Autional
API Reference GitHub autional.com →

POST /oauth/token

OAuth 2.0 token endpoint. Supports authorization_code, refresh_token, client_credentials, and urn:ietf:params:oauth:grant-type:device_code grant types. Supports private_key_jwt client authentication and DPoP. Returns flat JSON (no code/message envelope). References: RFC 6749 §4.1.3 (Authorization Code Grant), §4.3 (Resource Owner Password), §4.4 (Client Credentials), RFC 6749 §5.1-5.2, RFC 7636 (PKCE), RFC 8628 §3.4 (Device Code).

OAuth None application/x-www-form-urlencoded

Request Parameters

NameInTypeRequiredDefaultExampleConstraintsDescription
grant_type formData string Yes Grant type (authorization_code/refresh_token/client_credentials/urn:ietf:params:oauth:grant-type:device_code)
code formData string No Authorization code (required for authorization_code)
redirect_uri formData string No Redirect URI (required for authorization_code)
client_id formData string No Client ID
client_secret formData string No Client secret
refresh_token formData string No Refresh token (required for refresh_token)
code_verifier formData string No PKCE Code Verifier (required for public client)
device_code formData string No Device code (required for device_code)
client_assertion_type formData string No Client assertion type (private_key_jwt)
client_assertion formData string No Client assertion JWT (private_key_jwt)

Responses

StatusDescriptionSchema
200Token response (contains access_token, refresh_token, id_token, etc.)dto.OAuthTokenResponse
400unsupported_grant_type: Unsupported grant type. See RFC 6749 §5.2.dto.OAuthErrorResponse
401invalid_client: Client authentication failed. See RFC 6749 §5.2.dto.OAuthErrorResponse
429rate_limit_exceeded: Request rate too high, please retry laterdto.OAuthErrorResponse
500server_error: Internal error in authorization server. See RFC 6749 §5.2.dto.OAuthErrorResponse

Referenced Schemas

dto.AuthorizationDetailDTO

FieldTypeRequiredExampleConstraintsDescription
actions array of

string

No ['["list_accounts"', '"read_balances"]'] Operation
constraints object No Extension constraints
data_types array of

string

No ['["account_details"', '"balances"]'] Data type
identifier string No account-12345 Identifier
locations array of

string

No ['["https://example.com/accounts"]'] Location
type string No account_information Grant type

dto.OAuthErrorResponse

OAuth standard error response

FieldTypeRequiredExampleConstraintsDescription
error string No invalid_request Error code
error_description string No Missing required parameter Error description
error_uri string No https://docs.example.com/errors Error URI
state string No state-123 Status

dto.OAuthTokenResponse

OAuth token response

FieldTypeRequiredExampleConstraintsDescription
access_token string No eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... Access token
authorization_details array of

See dto.AuthorizationDetailDTO

No RAR authorization details
dpop_access_token_bound boolean No Access token DPoP binding confirmation (RFC 9449)
dpop_signing_alg string No DPoP signing algorithm (RFC 9449)
expires_in integer No 3600 Expires in seconds
id_token string No eyJhbGci... OIDC ID token
refresh_token string No rt_abc123 Refresh token
scope string No openid profile email Scope
token_type string No Bearer Token type