> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange Authorization Code for Token

> Exchange an authorization code for an access token after the user is redirected back to your callback.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/token`

When users are redirected back to your callback, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token.

### Remarks

To make a call to the `/oauth/token` endpoint, you must:

* Set the request content type as `application/x-www-form-urlencoded`
* Use `strings` for all passed parameters
* Include an additional parameter for application authentication in the request (e.g. `client_secret`, or `client_assertion` and `client_assertion_type` for JSON Web Token Client Authentication, or pass a `client-certificate` and `client-certificate-ca-verified` header when using Mutual TLS).

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Body Parameters

<ParamField body="grant_type" type="string" required>
  Denotes the flow; use `authorization_code` with a valid authorization code.
</ParamField>

<ParamField body="code" type="string">
  The authorization code from the initial `/authorize` call.
</ParamField>

<ParamField body="client_id" type="string" required>
  The `client_id` of your application. Required.
</ParamField>

<ParamField body="request_uri" type="string">
  This is required only if set at the `GET` `/oauth/par` endpoint.
</ParamField>

<ParamField body="code_verifier" type="string">
  Cryptographically random key used to generate the `code_challenge`. Recommended if `code_challenge` was provided.
</ParamField>

## Response Schema

<ResponseSchema>
  <ResponseField name="access_token" type="string">
    The access token to access protected resources.
  </ResponseField>

  <ResponseField name="refresh_token" type="string">
    Token used to obtain new access tokens.
  </ResponseField>

  <ResponseField name="id_token" type="string">
    The ID token.
  </ResponseField>

  <ResponseField name="token_type" type="string">
    The type of token. Usually `Bearer`.
  </ResponseField>

  <ResponseField name="expires_in" type="integer">
    The access token lifetime in seconds.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status | Description                                |
| ------ | ------------------------------------------ |
| 200    | Successful response containing the tokens. |