> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Token

> Exchange an Authorization Code for a token as the final step of the Authorization Code Flow with PKCE.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/token`

This is the flow that mobile apps use to access an API. Use this endpoint to exchange an Authorization Code for a token.

### Remarks

* In order to improve compatibility for applications, Auth0 will now return profile information in a structured claim format as defined by the OIDC specification. This means that in order to add custom claims to ID tokens or access tokens, they must conform to a namespaced format to avoid possible collisions with standard OIDC claims.
* Include `offline_access` to the `scope` request parameter to get a refresh token from POST /oauth/token. Make sure that the Allow Offline Access field is enabled in the API Settings.
* The `redirect_uri` value must be specified as a valid callback URL under your Application's Settings.
* Silent authentication lets you perform an authentication flow where Auth0 will only reply with redirects, and never with a login page. When an Access Token has expired, silent authentication can be used to retrieve a new one without user interaction, assuming the user's Single Sign-on (SSO) session has not expired.

### Learn More

* [Authorization Code Flow with Proof Key for Code Exchange (PKCE)](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce)
* [Call API Using the Authorization Code Flow with PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce)
* [Silent Authentication](https://auth0.com/docs/authenticate/login/configure-silent-authentication)

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Body Parameters

<ParamField body="grant_type" type="string" required>
  Denotes the flow you are using. For Authorization Code (PKCE) use `authorization_code`.

  Allowed values: `authorization_code`
</ParamField>

<ParamField body="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField body="code" type="string" required>
  The Authorization Code received from the initial `/authorize` call.
</ParamField>

<ParamField body="code_verifier" type="string" required>
  Cryptographically random key that was used to generate the `code_challenge` passed to `/authorize`.
</ParamField>

<ParamField body="redirect_uri" type="string">
  This is required only if it was set at the `GET` `/authorize` endpoint.
</ParamField>

## Response Schema

<ResponseSchema statusCode="200">
  <ResponseField name="access_token" type="string">
    The access token.
  </ResponseField>

  <ResponseField name="refresh_token" type="string">
    The refresh token used to obtain new access tokens.
  </ResponseField>

  <ResponseField name="id_token" type="string">
    The ID token.
  </ResponseField>

  <ResponseField name="token_type" type="string">
    The type of token. Usually `Bearer`.
  </ResponseField>

  <ResponseField name="expires_in" type="integer">
    The access token lifetime in seconds.
  </ResponseField>
</ResponseSchema>

<ResponseSchema statusCode="default error">
  <ResponseField name="error" type="string">
    Error code.
  </ResponseField>

  <ResponseField name="error_description" type="string">
    Error description.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status  | Description                |
| ------- | -------------------------- |
| 200     | Successful token exchange. |
| default | Unexpected error           |